Driving Execution of Target Paths in Android Applications with (a) CAR.

Dynamic program analysis is commonly used to vet Android applications. One approach is targeted execution, in which interesting or suspicious code is specifically targeted and analyzed dynamically. However, faithful execution to just the paths that reach these targets can be difficult due to the dependencies they have on other parts of the application. Prior works that handle dependencies must favor either soundness or completeness to the detriment of the other. Techniques that rely on precise dependency tracking ultimately result in lower coverage of targets due to overhead. Meanwhile, other techniques that aim for completeness by ignoring or bypassing dependencies lead to unsound execution and false positives. In this paper, we treat dependencies through the lens of a path context, which represents the program state expected by the path as it is executing. We propose an approach that provides better completeness and low false positives using Context Approximation and Refinement (Car), which combines static constraint analysis and dynamic error recovery to infer a context based on the desired path flow and refine it during execution. We show that the integration of Car with targeted execution can reach 3.1x more target locations in popular Android applications than the existing state of the art while having a false detection rate of 9%, enabling more complete analysis and detection of security-sensitive behaviors.